IBM added a new parameters (REFBEFOR and REFAFTER) to the SLIP command with z/OS 2.1. What is needed for ACF2 security?

Document ID : KB000028866
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

IBM added a new parameters (REFBEFOR and REFAFTER) to the SLIP command with z/OS 2.1.  What is needed for ACF2 security?

Summary

As of z/OS V2R1, a RACROUTE AUTH check is now performed for a SLIP command that is issued with action of REFAFTER or REFBEFOR. This change might affect your installation, depending on the security product you are using.  

Detail

The security FACILITY class entity IEASLIP.REFRESH is provided for using the REFBEFOR and REFAFTER keywords on the SLIP command. When the IEASLIP.REFRESH
FACILITY class profile is defined, the SLIP command issuer must have UPDATE access to that profile to use the REFAFTER and REFBEFOR keywords.           

If you are going to use new keywords REFBEFOR and REFAFTER on the SLIP command in z/OS 2.1, then a new RACROUTE AUTH call will be made for resource IEASLIP.REFRESH using resource class FACILITY.  A user needs to have UPDATE authority for this call to be able to do it.  Here would be a sample rule:                
                                                                            
$KEY(IEASLIP.REFRESH) TYPE(FAC)                                             
 UID(uid string of user) SERVICE(UPDATE) ALLOW      

If your FAC rules are resident, then you need to issue a REBUILD to implement the rule:  F ACF2,REBUILD(FAC)